185799 – Review Request: nessus-plugins-GPL

Bug 185799 - Review Request: nessus-plugins-GPL

Summary: Review Request: nessus-plugins-GPL

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	Package Review
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	John Mahowald
QA Contact:	Fedora Package Reviews List
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	FE-DEADREVIEW
TreeView+	depends on / blocked

Reported:	2006-03-18 11:32 UTC by Andreas Bierfert
Modified:	2007-11-30 22:11 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-06-18 09:19:46 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Andreas Bierfert 2006-03-18 11:32:14 UTC

Spec Name or Url: http://fedora.lowlatency.de/review/nessus-plugins-GPL.spec
SRPM Name or Url: http://fedora.lowlatency.de/review/nessus-plugins-GPL-2.2.6-1.src.rpm
Description:
Nessus is a free, up-to-date and full featured remote security scanner.
It makes possible to test security modules in an attempt to find vulnerable
spots that should be fixed.

It is made up of two parts: a server, and a client. The server/daemon,
nessusd, is in charge of the attacks, whereas the client, nessus-client-gtk,
provides the user a nice X11/GTK+ interface.

This package contains Nessus plugins and scripts to build additional plugins.

Comment 1 John Mahowald 2006-04-07 00:12:54 UTC

rpmlint:
rpmlint of nessus-plugins-GPL-2.2.6-1.x86_64.rpm:W: nessus-plugins-GPL
no-version-in-last-changelog
E: nessus-plugins-GPL non-standard-executable-perm
/var/lib/nessus/plugins/hydra.nes 0555
E: nessus-plugins-GPL non-standard-executable-perm
/var/lib/nessus/plugins/objectserver.nes 0555
E: nessus-plugins-GPL non-standard-executable-perm
/var/lib/nessus/plugins/ssl_ciphers.nes 0555
E: nessus-plugins-GPL non-executable-script
/var/lib/nessus/plugins_factory/libtool 0444
E: nessus-plugins-GPL non-standard-executable-perm
/var/lib/nessus/plugins/ftp_write_dirs.nes 0555
E: nessus-plugins-GPL non-standard-executable-perm
/var/lib/nessus/plugins/nmap_tcp_connect.nes 0555
E: nessus-plugins-GPL non-standard-executable-perm
/var/lib/nessus/plugins/snmp_portscan.nes 0555
E: nessus-plugins-GPL non-standard-executable-perm
/var/lib/nessus/plugins/nmap_wrapper.nes 0555
E: nessus-plugins-GPL non-standard-executable-perm
/var/lib/nessus/plugins/find_service.nes 0555
E: nessus-plugins-GPL non-standard-executable-perm
/var/lib/nessus/plugins/smad.nes 0555
E: nessus-plugins-GPL non-standard-executable-perm
/var/lib/nessus/plugins/tftp_grab_file.nes 0555
E: nessus-plugins-GPL non-standard-executable-perm
/var/lib/nessus/plugins/synscan.nes 0555
E: nessus-plugins-GPL non-standard-executable-perm
/var/lib/nessus/plugins/nessus_tcp_scanner.nes 0555
E: nessus-plugins-GPL non-standard-executable-perm
/var/lib/nessus/plugins/nikto_wrapper.nes 0555
E: nessus-plugins-GPL non-standard-executable-perm
/var/lib/nessus/plugins/linux_tftp.nes 0555

rpm was probably expecting 755 or so.

- package meets naming guidelines
- package meets packaging guidelines
- license (GPL (obviously :) and BSD) OK, text in %doc, matches source

However, though I'm not a lawyer, certain terms in the Tenable license seem too
restrictive, particularly in the Other Restrictions clause.
Which plugins are licensed under this?

- spec file legible, in am. english
- source matches upstream
- package compiles on devel (x86_64), works
- no missing BR
- no unnecessary BR
- no locales
- not relocatable
- owns all directories that it creates
- no duplicate files
- permissions ok
- %clean ok
- macro use consistent
- code, not content
- no need for -docs
- nothing in %doc affects runtime
- no need for .desktop file

Comment 2 Andreas Bierfert 2006-04-07 07:18:57 UTC

to be honest: I don't know. I will see if I can find something out so...

Comment 3 John Mahowald 2006-04-12 00:05:36 UTC

The specific section in this license that I'm concerned about:

"You shall not, directly or indirectly:  (i) sell, lease, rent, license,
sublicense, distribute, redistribute or transfer any Plugins or
any of your rights under this Agreement; (ii) modify, translate,
reverse engineer (except to the limited extent permitted by law),
decompile, disassemble or create derivative works based on any
Plugins; (iii) use any Plugins other than in conjunction with
Registered Nessus or NeWT Scanners obtained directly from
www.nessus.org or www.tenablesecurity.com to detect
vulnerabilities on your own system or network or on the system or
network; or (iv) remove, alter or obscure any proprietary notice,
labels or marks on any Plugins."


A quick grep through the scripts shows 517 out of 1074 explicitly contain "GPL".
But many say no license at all.

If we knew what falls under this license in this package, if any, they could be
excluded but now I don't know.

Comment 4 John Mahowald 2006-05-15 04:38:22 UTC

Debian bug seems to make the most sense of this mess.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=291658

You may want to ask the packager which are GPL.

Comment 5 Andreas Bierfert 2006-06-18 09:18:52 UTC

will move this to lvn ... package sould be good to go there =)

Comment 6 Dennis Gilmore 2006-06-18 14:50:40 UTC

Andreas  that is really not the right answer. The correct answer is to ask for 
legal  to review  and see what they say.

Comment 7 Hans de Goede 2006-07-15 05:12:20 UTC

Removing from FE-REVIEW blocker list, since its no longer under review.

Comment 8 Jason Tibbitts 2006-10-14 22:16:02 UTC

Sorry for the spam; I'm trying to clear the FE-Legal blocker since this ticket
is no longer open, but instead I'm just a bonehead.

Note You need to log in before you can comment on or make changes to this bug.